Cloud and Virtual Networking Concepts
Key Takeaways
- VPCs and VNets are logically isolated cloud networks with subnets, route tables, gateways, and security controls.
- Cloud gateways connect cloud networks to the internet, private circuits, VPNs, or other virtual networks.
- Security groups and network ACLs filter traffic differently depending on the cloud platform and scope.
- NFV replaces dedicated network appliances with virtualized functions such as firewalls, load balancers, and routers.
- SDN, SD-WAN, and SASE separate control from forwarding, optimize WAN policy, and move security enforcement closer to users and cloud apps.
Cloud networking uses familiar ideas with virtual implementation: subnets, routes, gateways, firewalls, NAT, VPNs, load balancers, and DNS. The difference is that many controls are software-defined and managed through a cloud control plane.
| Concept | Vendor-neutral meaning | Common clue |
|---|---|---|
| VPC or VNet | Logically isolated cloud network | Cloud subnets and route tables |
| Subnet | IP range inside a cloud network | Public, private, app, database tier |
| Cloud gateway | Connects the virtual network to another network | Internet gateway, NAT gateway, VPN gateway |
| Security group | Instance or interface-level traffic filter | Allow web inbound only from load balancer |
| Network ACL | Subnet-level traffic filter in many platforms | Stateless rule list clue |
| Load balancer | Distributes traffic across targets | Public app front end or internal service |
VPC and VNet Design
A cloud network often contains multiple subnets across availability zones. Public subnets have a route toward an internet gateway for inbound or outbound internet access. Private subnets usually reach outbound services through NAT or private endpoints and do not accept direct internet-initiated traffic.
| Tier | Common subnet placement | Security focus |
|---|---|---|
| Web or load balancer | Public subnet | Only required ports from internet |
| Application | Private subnet | Allow from load balancer or web tier |
| Database | Private subnet | Allow only from application tier |
| Management | Private subnet or controlled access path | MFA, VPN, ZTNA, bastion, logging |
Gateways and Cloud Connectivity
| Gateway or connection | Purpose |
|---|---|
| Internet gateway | Allows public internet routing for cloud resources with public paths |
| NAT gateway | Allows private resources to initiate outbound internet connections |
| VPN gateway | Encrypted tunnel between cloud and another network |
| Private circuit gateway | Dedicated provider path to cloud |
| Transit gateway or hub | Central routing point between networks |
| Peering | Private connectivity between virtual networks |
NFV, SDN, SD-WAN, and SASE
Network function virtualization moves functions such as firewalls, routers, load balancers, WAN optimization, and intrusion prevention from dedicated appliances into virtual machines or cloud services. Software-defined networking separates the control plane from the data plane so policy can be programmed centrally. SD-WAN uses software control to choose WAN paths based on business policy, application, link health, and security requirements. SASE combines wide-area networking concepts with cloud-delivered security services such as secure web gateway, CASB, zero trust network access, and firewall service.
| Technology | High-level exam meaning | Best clue |
|---|---|---|
| NFV | Network appliance as software | Virtual firewall or virtual router |
| SDN | Centralized programmable network control | Controller programs forwarding behavior |
| SD-WAN | Policy-based WAN path selection | Uses broadband, LTE/5G, MPLS based on app policy |
| SASE | Cloud-delivered network security and access | Remote users reach apps through security service edge |
PBQ-Style Thinking
Scenario: A three-tier cloud app has public load balancers, private application servers, and private databases. A correct security group design allows HTTPS from the internet to the load balancer, allows app ports from the load balancer to app instances, and allows database ports only from app instances. Do not open database ports to the internet.
Scenario: A company wants branch traffic to use whichever WAN circuit is healthy and to send SaaS traffic directly through cloud security controls instead of hairpinning everything through headquarters. SD-WAN and SASE concepts fit the requirement: policy-based path selection plus cloud-delivered security enforcement.
Common Cloud Routing Traps
| Symptom | Likely area to check |
|---|---|
| Private server cannot reach updates | NAT gateway or outbound route |
| Public web server unreachable | Public IP, route to internet gateway, security group |
| Database exposed to internet | Subnet routing and security group rules |
| Two VNets cannot communicate | Peering, route table, overlapping CIDR |
| VPN tunnel up but no traffic | Routes, encryption domains, firewall rules |
Cloud terms vary by provider, but Network+ tests the concept. Translate the brand-specific word into the network function: isolated network, subnet, route, gateway, filter, inspection, or policy controller.
A cloud database should accept connections only from application servers in a private subnet. Which control most directly enforces that traffic rule at the instance or interface level?
A private cloud server needs outbound internet access for updates but should not receive unsolicited inbound internet traffic. Which gateway concept is most likely needed?
Which descriptions match SD-WAN or SASE concepts? Choose two.
Select all that apply